From owner-freebsd-www Sun May 6 13:46:16 2001 Delivered-To: freebsd-www@freebsd.org Received: from uhura.concentric.net (uhura.concentric.net [206.173.118.93]) by hub.freebsd.org (Postfix) with ESMTP id 891B237B422; Sun, 6 May 2001 13:46:13 -0700 (PDT) (envelope-from arubin@concentric.net) Received: from cliff.concentric.net (cliff.concentric.net [206.173.118.90]) by uhura.concentric.net (8.9.1a/(98/12/15 5.12)) id QAA18197; Sun, 6 May 2001 16:46:12 -0400 (EDT) [1-800-745-2747 The Concentric Network] Received: from rat (w184.z064001133.chi-il.dsl.cnc.net [64.1.133.184]) by cliff.concentric.net (8.9.1a) id QAA27120; Sun, 6 May 2001 16:46:12 -0400 (EDT) Message-ID: <000f01c0d66d$f6b8cf20$6400000a@violentmonkey.org> From: "Anthony Rubin" To: "Kris Kennaway" , , References: <20010506013753.A51338@xor.obsecurity.org> Subject: Re: Attack on dosendpr.cgi Date: Sun, 6 May 2001 15:48:54 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-www@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org dosendpr.cgi uses html.pl to parse it's input, which will allow any method, but from looking at the code it probably won't function correctly for anything other than GET or POST. Basically it checks if the method is GET and if so parses the environmental variable QUERY_STRING, otherwise it reads from STDIN without checking the method. This should work fine for POST, but I'm not sure offhand what will happen with various other methods. It populates a hash named %cgi_data with the data and stores the method in a scalar named $cgi_method. You could modify dosendpr.cgi to check $cgi_method, but it would be trivial to write a perl script to submit the form multiple times using POST. I don't have a suggestion at this time for the best solution for this problem. I would also like to point out that I have found no less than 4 different ways in which the CGI scripts are parsing their input: html.pl cgi-lib.pl CGI.pm (processing the input in the script itself) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-www" in the body of the message